Adding feature store docs

Author: harsh97

ads/feature_store/docs/source/index.rst

@@ -27,9 +27,9 @@ Feature Store
 .. toctree::
     :maxdepth: 2
     :caption: Getting started:
-
+    
     overview
-    user_guides.setup.feature_store_operator
+    setup_feature_store
     quickstart
 
 .. toctree::

ads/feature_store/docs/source/setup_feature_store.rst

@@ -0,0 +1,78 @@
+====================
+Setup Feature Store
+====================
+
+Feature store is being provided by OCI as a stack based offering in user's own tenancy via OCI marketplace. It can be configured by the user primarily in two ways:
+
+:doc:`Setup via Feature Store Marketplace Operator (Recommended) <./user_guides.setup.feature_store_operator>`
+__________________________________________________________
+
+The feature store marketplace operator can be used to setup the feature store api server in an existing OKE cluster while also utilising an existing MySQL database. It will also help setup authentication and authorization using OCI. For more details, see :doc:`Marketplace operator <./user_guides.setup.feature_store_operator>`
+
+:doc:`Setup via Helm Charts <./user_guides.setup.helm_chart>`
+_______________________________
+
+We can manually export images to OCIR using Marketplace UI and then deploy the obtained Helm Chart. Optionally, we can also setup Feature Store API Gateway stack for authentication and authorization.
+
+.. _Database configuration:
+
+Database configuration
+-----------------------
+
+Feature Store can be configured to use your existing MySQL database. It supports two types of authentication:
+
+1.  Basic (Not recommended): The password is stored as plaintext in the API server.
+2.  Vault (Recommended): The password is stored in an encrypted format inside `OCI Vault <https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm>`_.
+
+Storing the password in Vault:
+
+1. (Optional) Create a new Vault.
+2. (Required) Create a secret of plain-text type containing the db password.
+3. (Required) Additional policies for the Feature Store API dynamic group to allow reading the secret from Vault:
+    - ``Allow dynamic-group <feature-store-dynamic-group> to use secret-family in tenancy``
+
+Here ``feature-store-dynamic-group`` is the dynamic group corresponding to the instances of the OKE nodepool where the server is deployed. `Dynamic groups <https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm#:~:text=Dynamic%20groups%20allow%20you%20to,against%20Oracle%20Cloud%20Infrastructure%20services.>`_
+
+
+.. _Policies:
+Policies
+---------
+
+Policies required by the user deploying:
+
+.. code-block:: text
+
+    allow group <user-group> to manage clusters in compartment <compartment-name>
+    allow group <user-group> to use repos in compartment <compartment-name>
+    allow group <user-group> to manage marketplace-listings in compartment <compartment-name>
+    allow group <user-group> to read compartments in compartment <compartment-name>
+    allow group <user-group> to manage app-catalog-listing in compartment <compartment-name>
+    allow group <user-group> to read object-family in compartment <compartment-name>
+
+
+The policies required by the Feature Store API server are:
+
+.. code-block:: text
+
+    allow dynamic-group <feature-store-dynamic-group> to read compartments in tenancy
+
+    allow dynamic-group <feature-store-dynamic-group> to manage data-catalog-family in tenancy
+
+    allow dynamic-group <feature-store-dynamic-group> to inspect data-science-models in tenancy
+
+
+Here ``feature-store-dynamic-group`` is the dynamic group corresponding to the instances of the OKE nodepool where the server is deployed. `Dynamic groups <https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm#:~:text=Dynamic%20groups%20allow%20you%20to,against%20Oracle%20Cloud%20Infrastructure%20services.>`_
+
+.. _Known Issues:
+
+Known Issues
+-------------
+
+1. Deployment doesn't work in Virtual Nodepool as the Feature Store API server relies on Instance Principal authentication.
+ 
+
+.. toctree::
+  :maxdepth: 1
+
+  ./user_guides.setup.feature_store_operator
+  ./user_guides.setup.helm_chart

ads/feature_store/docs/source/user_guides.setup.feature_store_operator.rst

@@ -1,5 +1,5 @@
 =================================
-Feature Store Deployment Operator
+Feature Store Deployment Operator (Recommended)
 =================================
 
 The Feature Store marketplace operator uses your current infrastructure to set up a Feature Store. It helps in setting up the Feature Store API server in your exisiting OKE cluster and MySQL database.
@@ -12,22 +12,19 @@ The Feature Store Marketplace Operator can be installed from PyPi using the foll
 
 .. code-block:: bash
 
-    python3 -m pip install "https://github.com/oracle/accelerated-data-science.git@feature-store-marketplace[feature-store-marketplace]"
+    python3 -m pip install "https://github.com/oracle/accelerated-data-science.git@oracle-ads[feature-store-marketplace]"
 
 
 After that, the Operator is ready to go!
 
 Configuration
 -------------
 
-After having set up ads opctl on your desired machine using ads opctl configure, you are ready to begin setting up Feature Store. At a minimum, you need to provide the following details about your infrastructure:
+After having set up `ads opctl` on your desired machine using `ads opctl configure`, you are ready to begin setting up Feature Store. At a minimum, you need to provide the following details about your infrastructure:
 
 - The path to the OCIR repository where Feature Store container images are cloned.
 - The compartment ID where Feature Store is set up.
-
-.. seealso::
-   :ref:`Database configuration`
-
+- :ref:`Database configuration details <Database configuration>`
 - The app name to use for Helm.
 - The namespace to use in the Kubernetes cluster.
 - The version of the Feature Store stack to install.
@@ -47,8 +44,8 @@ Before running the operator you need to configure the following requirements:
 
 1. Helm: Helm is required to be installed on the machine for deploying Feature Store helm chart to the Kubernetes cluster. Ref: `Installing Helm   <https://helm.sh/docs/intro/install/>`_
 2. Kubectl: Kubectl is required to be installed to deploy the helm chart to the cluster. Ref: `Installing Kubectl <https://kubernetes.io/docs/tasks/tools/>`_
-3. :ref:`Policies`: Required policies for API server.
-4. `Setup cluster access locally: <https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengdownloadkubeconfigfile.htm#:~:text=Under%20Containers%20%26%20Artifacts%2C%20click%20Kubernetes,shows%20details%20of%20the%20cluster>`_
+3. :ref:`Policies`: Required policies for API server and user running the operator.
+4. `Setup cluster access locally <https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengdownloadkubeconfigfile.htm#:~:text=Under%20Containers%20%26%20Artifacts%2C%20click%20Kubernetes,shows%20details%20of%20the%20cluster>`_
 
 
 Run
@@ -58,45 +55,9 @@ After the feature_store_marketplace.yaml is written using the init step above, y
 
 .. code-block:: bash
 
-    ads operator run -f feature_store_marketplace.yaml
-
-
-**Common Issues**
- -- TODO --
-
-
-.. _Policies:
-
-Policies
----------
-
-The policies required by the Feature Store API server are:
-
-.. code-block:: text
-
-    allow dynamic-group <feature-store-dynamic-group> to read compartments in tenancy
-
-    allow dynamic-group <feature-store-dynamic-group> to manage data-catalog-family in tenancy
-
-    allow dynamic-group <feature-store-dynamic-group> to insect data-science-models in tenancy
-
-Here ``feature-store-dynamic-group`` is the dynamic group corresponding to the instances of the OKE nodepool where the server is deployed. `Dynamic groups <https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm#:~:text=Dynamic%20groups%20allow%20you%20to,against%20Oracle%20Cloud%20Infrastructure%20services.>`_
-
-.. _Database configuration:
-
-Database configuration
------------------------
+    ads operator run -f feature_store_marketplace.yaml -b marketplace.python
 
-Feature Store can be configured to use your existing MySQL database. It supports two types of authentication:
 
-1.  Basic (Not recommended): The password is stored as plaintext in the API server.
-2.  Vault (Recommended): The password is stored in an encrypted format inside `OCI Vault <https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm>`_.
 
-Storing the password in Vault:
 
-1. (Optional) Create a new Vault.
-2. (Required) Create a secret of plain-text type containing the db password.
-3. (Required) Additional policies for the Feature Store API dynamic group to allow reading the secret from Vault:
-    - ``Allow dynamic-group <feature-store-dynamic-group> to use secret-family in tenancy``
 
-Here ``feature-store-dynamic-group`` is the dynamic group corresponding to the instances of the OKE nodepool where the server is deployed. `Dynamic groups <https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm#:~:text=Dynamic%20groups%20allow%20you%20to,against%20Oracle%20Cloud%20Infrastructure%20services.>`_

ads/feature_store/docs/source/user_guides.setup.helm_chart.rst

@@ -0,0 +1,191 @@
+=================================
+Setup using Helm Charts
+=================================
+
+We always suggest to deploy feature store via the :doc:`Feature Store Operator <./user_guides.setup.feature_store_operator>` to setup Feature Store API server in OKE Cluster. This method should preferably be used only when the operator can not satisfy your requirements
+as it is much simpler to do the setup via the operator.
+
+
+Prerequisites
+_____________
+
+- Setup `MySQL Database <https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/mysql-database/doc/overview-mysql-database-service.html>`_  so that it is reachable from the API server
+.. seealso::
+   :ref:`Database configuration`
+- :ref:`Helm Setup`
+- :ref:`Policies`
+- `Setup cluster access locally <https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengdownloadkubeconfigfile.htm#:~:text=Under%20Containers%20%26%20Artifacts%2C%20click%20Kubernetes,shows%20details%20of%20the%20cluster>`_
+
+Steps to deploy API server image
+________________________________
+
+- Export the package to OCIR using the `Feature store marketplace listing <https://cloud.oracle.com/marketplace/application/ocid1.mktpublisting.oc1.iad.amaaaaaabiudgxya26lzh2dsyvg7cfzgllvdl6xo5phz4mnsoktxeutecrvq>`_
+- Wait for export work request to complete
+- Identify the Helm chart and API images exported to OCIR:
+   - Helm chart image would be of format: ``<ocir-image>:<version>``
+   - API image would be of format: ``<ocir-image>:<export-number>-<image-id>-<tenancy-namespace>-feature-store-api-<version>``
+
+- :ref:`Create kubernetes docker secret <Kubernetes secret>`
+
+- :ref:`Generate custom values.yaml for deployment <Helm values>`
+
+- Install the helm chart
+
+.. code-block:: bash
+
+   helm upgrade feature-store-api oci://<helm-chart-image-path> --namespace feature-store --values <path-to-values-yaml> --timeout 300s --wait -i
+- (Optional) `Setup Feature Store API Gateway <https://github.com/oracle-samples/oci-data-science-ai-samples/tree/main/feature_store/apigw_terraform>`_
+
+
+Appendix
+________
+
+.. _Helm Setup:
+
+Setup Helm to use OCIR
+______________________
+
+To login to Container Registry using the Helm CLI:
+
+- If you already have an auth token, go to the next step. Otherwise:
+   - In the top-right corner of the Console, open the Profile menu and then click User settings to view the details.
+   - On the Auth Tokens page, click Generate Token.
+   - Enter a friendly description for the auth token. Avoid entering confidential information.
+   - Click Generate Token. The new auth token is displayed.
+   - Copy the auth token immediately to a secure location from where you can retrieve it later, because you won't see the auth token again in the Console.
+   - Close the Generate Token dialog.
+  
+- In a terminal window on the client machine running Docker, log in to Container Registry by entering  ``helm registry login <region-key>.ocir.io``, where <region-key> corresponds to the key for the Container Registry region you're using. For example, ``helm registry login iad.ocir.io``. See `Availability by Region <https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registryprerequisites.htm#regional-availability>`_.
+- When prompted for a username, enter your username in the format <tenancy-namespace>/<username>, where <tenancy-namespace> is the auto-generated Object Storage namespace string of your tenancy (as shown on the Tenancy Information page). For example, ansh81vru1zp/jdoe@acme.com. If your tenancy is federated with Oracle Identity Cloud Service, use the format <tenancy-namespace>/oracleidentitycloudservice/<username>.
+- When prompted for a password, enter the auth token you copied earlier.
+
+.. _Kubernetes secret:
+
+Kubernetes Docker Secret Configuration
+__________________________________________________________
+- If you don't already have an auth token refer :ref:`<helm setup>`
+- `Login to Kubernetes cluster <https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengdownloadkubeconfigfile.htm#:~:text=Under%20Containers%20%26%20Artifacts%2C%20click%20Kubernetes,shows%20details%20of%20the%20cluster>`_
+- Run command
+
+.. code-block:: bash
+
+   kubectl create secret docker-registry <secret-name> --docker-server=<region-key>.ocir.io --docker-username=<tenancy-namespace>/<username> --docker-password=<auth token>
+
+.. _Helm values:
+
+Helm values configuration:
+__________________________________________________________
+
+- Minimal Helm values example for getting started:
+
+.. code-block:: yaml
+
+   db:
+      configuredDB: MYSQL
+      mysql:
+         authType: BASIC
+         basic:
+            password: #enter-db-password-here
+         jdbcURL: jdbc:mysql://<db-ip>:3306/FeatureStore?createDatabaseIfNotExist=true
+         username: #enter-db-username-here
+   imagePullSecrets:
+   - name: #enter secret name containing docker secret here
+   oci_meta:
+      images:
+      repo: #ocir repo: <region-key>.ocir.io/<tenancy-namespace>/repository
+         api:
+            image: #ocir image: The name of image>
+            tag: #API Image tag
+         authoriser:
+            image: na
+            tag: na
+      
+
+
+- All available Helm values
+
+.. code-block:: yaml
+
+   oci_meta:
+   repo: #ocir repo: <region-key>.ocir.io/<tenancy-namespace>/repository
+   images:
+      api:
+         image: #ocir image: The name of image
+         tag: #API Image tag
+      authoriser: # We don't want to deploy this image. This image will be deployed with OCI functions
+            image: na
+            tag: na
+
+   imagePullSecrets:
+    - name:  #name-of-docker-secret-with-credentials
+
+   db:
+   configuredDB: #type of DB configured. possible values: "MYSQL"
+   mysql:
+      authType: #Type of authentication to use for connecting to database.
+                # Possible values: 'BASIC', 'VAULT'
+      jdbcURL: #JDBC URL of the MySQL server
+      username: #Name of the user on MySQL server
+      basic:
+         password: #Password to mysql server in plain-text format
+      vault:
+         vaultOcid: #OCID of the vault where the secret is kept
+         secretName: #Name of the secret used for connecting to vault
+
+   resources: #https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+   nameOverride: #Value for label app.kubernetes.io/name
+
+   podSecurityContext: #Pod security #https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+   securityContext: #Container Security context #https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+   deploymentStrategy: #This block is directly inserted into pod spec
+                      #https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+
+
+   nodeSelector: {} #Pod node selector
+                   #https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+
+   tolerations: []  #Pod tolerations
+                    #https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+
+   affinity: {}  #Pod affinity 
+                 #https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+
+   replicaCount: #Pod replicas
+                 #https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+
+   autoscaling: #Horizontal pod scaling details
+                #https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+      enabled:
+      minReplicas:
+      maxReplicas:
+      targetCPUUtilizationPercentage:
+      targetMemoryUtilizationPercentage:
+   scaleUp:
+      stabilizationWindowSeconds:
+      periodSeconds:
+      podCount:
+      percentage:
+   scaleDown:
+      stabilizationWindowSeconds:
+      periodSeconds:
+      podCount:
+      percentage:
+
+   applicationEnv:
+   containerName: #Container name
+
+   livenessProbe: # Liveness probe details
+      initialDelaySeconds:
+      periodSeconds:
+      timeoutSeconds:
+      failureThreshold:
+
+   readinessProbe: # Readiness probe details
+      initialDelaySeconds:
+      periodSeconds:
+      timeoutSeconds:
+      failureThreshold:
+

ads/opctl/backend/marketplace/marketplace_utils.py

@@ -146,7 +146,6 @@ def list_container_images(
     artifact_client = OCIClientFactory(**authutil.default_signer()).artifacts
     list_container_images_response = artifact_client.list_container_images(
         compartment_id=compartment_id,
-        compartment_id_in_subtree=True,
         sort_by="TIMECREATED",
         repository_name=ocir_image_path,
     )